seattle life

Seattle Life – Today we drove over to Saint Demetrios Greek Orthodox Church for the Greek Festival. It was packed; tons of people, and lots of good food. The gyros were being made from frozen preprocessed strips of meat, so it wasn’t exactly like the Greek food I got hooked on in Detroit, Chicago, and Toronto (and sorry to the locals, but Costas Opa isn’t even in the same class of competition); but the pastries were pretty good, and the atmosphere was nice. Lots of families with babies; St. Demetrios is obviously the center of the Greek community out here.

Today the Seattle Post-Intelligencer reports that Corixa is a “formidable” foe to bioterrorist threats like Anthrax. I couldn’t find anything in the article that shows how Corixa or anyone else could possibly stop terrorists from killing tens of thousands of people. They mention a sort of “anomaly detection” system that could notice “blips” in reported illnesses and catch (for example) smallpox before it became an unstoppable epidemic. Well, that’s nice, but thousands of people would be dead by that point, which would easily justify such an attack in the addled mind of a terrorist. And it would take only a few more terrorists to spark a whole new incident. The same with Anthrax; by the time that any symptoms are noticed, another few thousand people are dead. The P-I at least makes the point that vaccines are the only real hope (assuming any were being produced in useful quantities). I suppose this is the same sort of wishful journalism seen in the reports of beefed-up security at airports that is meant to prevent more boxcutters from being brought on board. This gives us a safe feeling, and we can live in comforting denial that three 250-lb guys trained in neck-breaking could do the same thing with no carryon luggage at all. And we can also deny to ourselves the obvious logic that no terrorist organization would be so stupid as to use that attack again, anyway. Unfortunately, if all of the feds are watching the airport, that means that the ventilation system at your local mall is a softer target. These news articles seem to serve a purpose in letting us deny the fact that we are always going to be vulnerable. And they give us the comforting feeling that we can solve this problem by clamming up more tightly into our shells and avoiding uncomfortable external engagement.

Speaking of avoiding externally-directed engagement, I heard that a thousand or so anti-something protesters gathered in Washington D.C. to say that violence will not help. We have ample proof that a bunch of people in Kandahar believe that violence is an answer. Why don’t we put all of the protesters on a plane and let them go make their voices heard to some people who really need help?

And speaking of fuzzy minds, I noticed that Slate is bringing up the issue of racial profiling, which is guaranteed to be a hot topic with people like Kinsley. Kinsley pretends to be agonizing over whether racial profiling is OK in some cases, and conflicted over comparisons to affirmative action. Considering that the hijackers and their supporters come from a wide range of ethnicities, the whole question seems contrived by Kinsley as a straw man fit for examining promiscusously in this column. Or maybe Kinsley really is ignorant and thinks “they all look the same to me”. Kinsley could avoid all of the exhibitionist agonizing by simply stepping back and figuring out what his priorities are. As L. Ron Hubbard once said, “all stress in life comes from conflicting intentions”, pointing out that it is impossible for someone who knows what his priorities are to be unhappy.

I think at this point, most Americans have their priorities remarkably clear. My human right to have an airplane not drive into me is pretty high up on the list. Anyone else who says differently is a liar.


Go – To my generation, Go is both a song and a movie. Beyond it’s common use as a verb, Go is also the name of the oldest, most strategic, and probably simplest board game known to man. Despite the fact that no computer has ever been able to play Go beyond beginner level, you can use the computer to find other players to challenge. MSN Go has a nice interface, but Yahoo Go has more and better players. I’ve also found that TurboGo is a good way to play speed-go against the computer. Judging by the UI, I am guessing that it was written with Borland Turbo C++, and thus the name TurboGo; so it is probably just a coincidence that the program is best for times when you want to play a quick 5-minute game of go without finding an opponent. Today I sent in the payment for the full version, which is supposed to support two more levels of difficulty.

I’m waiting anxiously for U.S. availability of The Horse That Flew – How India’s Silicon Gurus Spread Their Wings. The interview with the author, Chidanand Rajghatta, reveals some interesting tidbits about the kind of issues that these guys have dealt with. It also makes the credible argument that the dotcom boom for India is just beginning.


Anthraxination – Sick today, with the same cold that my wife and daughter have had for two weeks. I’d rather have a natural sickness than a man-made one anyway. Of the biological threats that the U.S. is most wary of, Anthrax tops the list. Anthrax is 100,000 times more deadly than the deadliest chemical weapon. The USSR (when it was still the USSR) developed a weaponized version of Anthrax that is remarkably infectious and hardy. Before the Central Asian republics broke off to form their own countries, Russia attempted to destroy and bury a bunch of tanks of Anthrax on a small island in the Aral Sea. The problem is, the Anthrax is still alive in the soil, and the Aral Sea has mostly dried up, making it easy for any motivated terrorist to hike out and scoop some up. The former Vozrozhdeniye Island, now an Uzbek peninsula, was home to many other chemical and biological weapons, and is deserted now, carrying plague on the desert winds to the surrounding areas.

It’s fitting that this desolate corner of the world is also home to those who are weaponizing infectious words to spread memes of hate and destruction. In the Wu-Tang song Triumph, rapper Method Man uses a simile, “As the world turns, I spread like germs; Bless the globe with the pestilence, the hard-headed never learn.” This is certainly a sentiment shared by Bin Ladin, and more so his incarnation of Hitler’s Dietrich Eckhart, Dr Ayman al-Zawahiri.

Most here in the west are immune to the toxic memes, but what to do about Anthrax? A friend of mine worked for the only facility in the U.S. with FDA approval to manufacture Anthrax Vaccine. After he left, the company went through a good deal of turbulence and was eventually privatized (they were originally run by the government). This testimony to the U.S. House of Representatives shows that the government has been aware of a deficiency in our ability to produce Anthrax vaccine for some time. In fact, just two month ago the Department of Defense announced yet another slowdown in Anthrax vaccine production with no estimate of when more would be available. We dropped the ball by letting free media (the antidote to toxic memes) die out in Central Asia; apparently our government has done a crap job of keeping around the antidote for biological agents as well. This is what happens when we skimp on national defense spending.

In an effort to defend against computer worms, ISPs are finally starting to see the wisdom in quarantining infected machines.

shadow economy

Shadow Economy – Knight Ridder picks up on the Hawala angle I mentioned earlier. The author misses a big part of the equation, though, by saying that things will eventually even out between the Hawala dealers in different countries. Not without smuggling, they won’t. There are a heck of a lot more people in America who send money to India than there are people in India that send money to America. Actually, it is possible for things to even out eventually in cases where barter is used. Especially where that barter takes place through multiple parties; one famous example being the “triangle trade” of rum, sugar, and slaves that created an ever-revolving wheel of colonial power.

Essentially, money is nothing more than a barter system that involves everyone. If you imagine a barter system that lets you trade goods or services, using “credits” as a proxy, and then trade those “credits” back for something else at a later time, you have imagined money. You could buy and sell things using this imaginary money, and the taxman would have a very difficult time figuring out your income or consumption. In fact, corporations are more frequently using imaginary money as a way to buy and sell goods, to the tune of billions of dollars per year. Technically, you would still have to pay taxes on whatever the dollar value of your imaginary money transactions was; but you are the one setting the exchange rate with dollars (you imagined it, after all) and there aren’t any bank records for the taxman to audit you with.

In fact, it is the ability for bater communities to avoid currency exchange rates which makes barter so appealing to people in places like Russia. Barter has some serious drawbacks, but when the government-sponsored currency is devaluing like crazy, barter seems like a stable option. In essence, Hawala and other forms of barter are simply mechanisms by which people exchange value outside the confines of a state-sponsored currency. Or to put it another way, they are alternative currency systems created by the particpants because particular aspects of existing currency systems were not acceptable. A very simple example that makes this clear is the BREAD community, who print their own money in Berkeley, CA. Interestingly, their money represents hours of labor in an attempt to enforce the ideal that everyone should receive the same hourly wage. This seems like the most effective way possible to ignore value in favor of effort and prove how stupid Marxism is. In true Berkeley fashion, they claim to be a “movement”, and make lots of “grass roots” noises. This comprehensive report on the size and scope of the world’s “shadow economy” should expose the BREAD people as nothing more than enthusiastic amateurs. The report shows that the over half of the GDP of Ukraine is barter-based; and even in the U.S., the use of shadowy economic exchange techniques increased to account for an extra 2% of our GDP in the last decade (from 6.7% of GDP to 8.9%). It is interesting to note that “increasing social security burden” is cited by this report as the number one reason for increase in shadow economy activities. This point alone has got to keep policy makers squirming these days…


Pacifiers – Today MSNBC says that “pacifists are evil”. As much as I enjoy seeing polemic turned against someone other than Microsoft, and as much as I disagree with some pacifist notions, I think the article is seriously logically flawed. A pacifist is someone who believes that violence is an ineffective method of solving problems. This belief manifests itself in two major ways: First, the pacifist refuses to participate in military or violent actions against others. Second, the pacifist will sometimes attempt to dissuade others from using violence, or perhaps even actively work to thwart the use of violence by others. The article makes the mistake of lumping all pacifist behaviors into the category of “actively thwarting” attempts of others to use force, and further assumes that pacifists only attempt to sabotage their own nations’ use of force. If this were true, pacifists would indeed be evil.

Fortunately, nothing in the pacifist credo says that pacifists must actively sabotage their own nations’ military efforts, and in fact there are plenty of ways that pacifists can (and do) contribute to their nations’ defenses. Many members of the American Red Cross are pacifists, and everyone can agree that the Red Cross have already played a significant role in protecting Americans. Nobody would call the work of the American Red Cross “evil”, although the work is clearly non-violent.

On the face, the author’s arguments seem logical:

  • Premise: The terrorists used violence against innocent people who could not possibly have wronged them, so we cannot be safe unless we eliminate the terrorists.
  • Premise: Pacifists do not want us to kill the terrorists.
  • Conclusion: Therefore, pacifists want more people to be killed by terrorists.

It’s not very difficult to find the flaws in this proposition, though. The conclusion assumes that pacifists believe the first premise the same way that we do. In fact, the pacifists may believe that eliminating the terrorists will make things worse, and therefore they believe that they are in favor of saving American lives. Essentially, all the article does is point out that pacifists and non-pacifists have different beliefs. And there is no logical basis whatsoever for claiming that pacifists support more American deaths; they clearly think that we support more American deaths. And finally, even if we think that the pacifists are completely foolish, that does not “de facto” mean that they are “evil” or “the enemy”. In fact, someone once said “I may disagree with what you say, but I will defend to the death your right to say it.” This is the very first freedom listed in the American Bill of Rights, and is what we are trying to defend. People have a right to believe what they want and say what they want, no matter how wrong they are. The author of the MSNBC article seems to think that free speech is the enemy, and not the thing that we are fighting to defend.

Now, the author tries dilligently to make the case that pacifists are somehow sabotaging those of us who believe that violence is necessary. I am sometimes annoyed by the apparent illogic of certain pacifists, but I am also smart enough to realize that other people’s annoying rhetoric is not the same as those people attempting to sabotage what I do. It is undoubtedly the case that some pacifists throughout history have worked actively to foil their own governments’ war efforts “in the name of pacifism”. But such treason is a completely orthogonal issue to pacifism. What if these pacifists put their efforts instead into convincing Bin Laden that violence was not an answer? What if they had begun ten years ago to work on Bin Laden and encouraged him to accept non-violence? Would we then call them traitors? When the pacifists provide humanitarian aid to the Americans harmed by the terrorists, do we call them traitors? Of course not! Someone who refuses to hold a gun is nonetheless capable of being a friend to those who do. If that friend also nags constantly for you to put down your gun, then at least you know that he feels free to share his opinions. On the other hand, if he tosses your gun into the river while you sleep; he is an enemy, and you are right to slide your knife between his ribs. But contrary to what MSNBC’s commentator would have you believe, pacifists aren’t all trying to take away your freedom to defend yourself. Some small number of pathological pacifists may be, but there are just as many non-pacifists who want to disarm you and sabotage your ability to defend yourself. The picture painted by the author is not a picture of a pacifist, but a picture of someone who would be evil regardless of whether or not they professed pacifism.

squeeze the lifeblood

Squeeze the Lifeblood – The President said that money is the lifeblood of terrorist operations, and the coalation against terrorism are going to starve the terrorists by cutting off their cash supply. Controlling this flow of lifeblood will be far more difficult than controlling airport and stadium security here at home. The flow is heavily dependant on an Islamic concept called Hawala. The rules under Shi’a Islamic law are described here by Grand Ayatollah Lankarani. Hawala creates a sort of extranational extranet of money transfer that evades currency exchange laws (and fees) and capitalizes on the devaluation of smaller countries’ currencies. Basically, Hawala is an indirect method of transferring money, where you give money to a Hawala dealer on the promise that the Hawala dealer will have his buddy in another country make an equivalent gift to your buddy in that country. Of course, you would think that the Hawala dealer would eventually have to even up with the guy in the other country. And that would require a traceable international transaction of money, right? Rashmin Sanghvi explains why not. The Hawala dealers could go through the banks to transfer the debt, but then how could they offer a better exchange rate? No, they are smart; they just smuggle across something that has equivalent value to the accrued debt between their branch offices and is easier to transport. Obviously gold, diamonds, and drugs fit the bill. Consumer goods and especially electronics now fit the bill as well (either by straight smuggling or fudging invoices). The Economic Times describes how places like Nepal have recently become hubs for Hawala financing of terrorists. Especially in the case of Afghanistan, the link between Hawala and Terrorists would be very strong. Afghanistan is historically a smuggling-based economy, and the Taliban’s earliest ally was the powerful Afghan smuggling mafia that moves opium, weapons, and other goods between Iran, Pakistan, and Russia. Before Osama, the Taliban were able to make money only off of taking toll taxes from the smugglers. Al Qaeda’s international sprawl permitted a perfectly complimentary new product offering: Hawala networks in other countries that could simultaneously bring in much more revenue and keep the smugglers more heavily employed.

The power of the Hawala dealers and smugglers to make money is immense; it is estimated that nearly a trillion US dollars per year is moved through these networks. The profits come not only from avoiding international exchange fees and scrutiny, but in taking advantage of steadily devaluing currencies. And since Hawala is such a good deal for the customers (who can remain blissfully ignorant of how the Hawala dealers can offer such low prices), the demand will always be very high. The supply is basically constrained by the amount of valuable goods that can be smuggled across international borders. The sealing of the Iran and Pakistan borders seen in this light was a very good move, because the “flow” of smuggled goods is directly proportional to the “flow” of cash into Al Qaeda and Taliban coffers. On the other hand, attempts to control the flow of smuggled goods that fuel an insatiable public demand seem uncannily familiar. This is roughly identical to the situation that is faced in the “war on drugs”, and we all know who is losing that one. It is hard enough to train marijuana-sniffing dogs, let alone diamond-sniffing dogs. Certainly there are some differences, but our failure to control smuggling of drugs or people’s consumption of drugs should be evidence that we are biting off a huge task in attempting to control smuggling of all types and people’s consumption of tax-free financial services. In fact, this relates to one of the reasons often given for the U.S. government’s opposition to strong crypto. Strong crypto enables the growth of extranational banks that could exist beyond IRS (or FBI) scrutiny, and eventually deplete all income to the treasury as risk-free tax evasion becomes accessible to everyone. Controlling the flow of “small but valuable” goods is the other half of being able to collect taxes. So the two-pronged effort to gain more visibility into people’s bank accounts while restricting the smuggling of contraband has the happy coincidence of having a two-pronged payoff. We squeeze off the lifeblood of terrorists (and other afficionados of small, expensive things like stinger missiles) while simultaneously clearing the arteries for the life-blood taxes of world governments. When you look at it that way, it’s their blood or ours, and we clearly have no choice but to fight.

Hawala is not the only name for this type of extranational banking. These are pretty much the same techniques used by money launderers who have no knowledge of Islam. The difference in this case is that Hawala across borders is endorsed by most of the Islamic banks, because the Quran sees the combined mass of believers (Ummah) as being a nation that takes precedence over political nations. Hawala between Muslims is not subject to national laws or taxes. This wouldn’t be such a threat to western governments, except for the fact that Islamic banks are becoming large enough to register on the radar of the Japanese and European Banks. The Islamic banks’ use of Hawala creates a 200 billion dollar international banking system that is officially free from Western meddling and taxes, and is useful to people like Bin Laden. And the Islamic banks are now big enough to resist pressure from the United States. Stating his confidence that the U.S. will be unable to crack into the Islamic banks in the wake of the WTC attacks, a banker in Bahrain says “If they touch Islamic funds, their own economies will be affected, and we know that economic considerations are top priority for Western countries”.

Changing subjects, I bet the author of this paper is realizing how wrong he was by now.

blind lead

Blind LeadPaul Nakada reports on what the author of the original Internet Worm is now up to; apparently peer-to-peer storage ala Farsite. Miguel de Icaza reveals to Dare “Carnage4Life” Obasanjo why he chose C# instead of Java.

Tried Snappy Dragon for the first time today. It is pretty good, just like home cooking. I can recommend everything I tried: the jiaozi, humbow, green onion pancakes, and “sizzling rice soup”.

IIS is gaining against Apache in web server share, and Gartner wants to turn the tide. Now I admit that I might be biased, but this report strikes me as surprisingly ignorant and dangerously misleading. The report makes two fundamental claims:

  1. Apache and iPlanet “have much better security records than IIS”.
  2. Apache and iPlanet “are not under active attack by the vast number of virus and worm writers”.
  • IIS has better security – The analyst claims that these other web servers have much better security records, but the evidence points to the contrary. The first point the author seems to be missing is that a security bug found and patched is a good thing. My firsthand experience tells me that hackers usually know about security holes in products for many months or even years before a “white hat” security person finds the hole and patches it. Claiming that a product is secure just because it has (slightly) fewer publicized security patches is like claiming that Mozilla isn’t buggy because the bugzilla database doesn’t have many bugs entered. Testing isn’t the sort of thing that most developers find “fun”, and volunteer testing isn’t the same as professional testing. Certainly there is a relationship between overall product quality and the number of bugs that get found. But when you don’t pay good people to find holes in your software, you shouldn’t be surprised when you (and your customers) never know about holes that exist. Furthermore, the author ignores the fact that all of the worms thus far have used known exploits, for which patches have been available for months or longer. The fact that the holes are always discovered and patched before worm authors can exploit them is evidence that someone is doing a good job.
  • Monoculture Arguments are Irrational – The author’s comment about iPlanet and Apache not being “under active attack by the vast number of virus and worm writers” could imply a few different things. Between SirCam, CodeRed, Nimda and charitably Code Blue and Code Red II; I count 5. And since all of these people used the same set of previously patched vulnerabilities, I am not sure that you could call these 5 people “writers”. So it seems a bit of a stretch from “5 copycat script kiddies” to “vast number of worm and virus writers”, but even accepting this assertion, we are expected to buy the tired monoculture meme. Since most people use IIS, then criminals target IIS; so therefore you should use something different to “throw them off”, advises the crafty analyst. I consider the whole monoculture idea to be so inane as to be not worth debunking (for every example of a system made weaker by homogeneity, you can find an example of a system made stronger by homogeneity – homogeneity is a de-facto proof of nothing about a system’s resilience).
  • Obscurity? – Some of the “security analysts” like to rail against “security through obscurity”. Like the “monoculture” folks, they go to inane extremes, even recommending transparency where it is not appropriate. But this analyst seems to be endorsing obscurity where most reasonable people would agree it is a bad idea. Product security benefits, say the pundits, when you have more people (rather than less) picking at the product and trying to find holes. So the author’s claim that there are more users (and hackers) of IIS would imply that the product is becoming increasingly more secure at a faster pace than alternatives.
  • Patching IIS is Easier – As far as I know, IIS is still the only product that has the capability to silently monitor machine configuration and as soon as a new patch is available, alert the administrator and offer to apply it. And even without this feature, I cannot believe that any of the other alternatives would ever even come close to IIS ease of use in usability testing where a number of admins are asked to apply patches. Furthermore, since the author admits that properly installing the patches would have protected a system, he offers a really strange choice. Ripping and replacing the entire platform and converting existing apps using the less productive platform, testing, debugging and ultimately keeping on the treadmill of applying patches to that system — this is what he chooses instead of simply applying the patch to the existing system.
  • Rate of Patching is Irrelevant – The analyst claims that IIS has new patches too often, so it is difficult to keep up. Besides the fact that rate of patches is not a negative indicator of security, it is also a patently false claim that this has ever been an issue in spread of worms. The people who got infected, in the vast majority of cases, did not apply any patches. If there had been only one patch, they still would have been infected. And people who keep up with patches tend to keep up with patches. It’s that simple.
  • Rate of Patching is Normal – for comparative products where the vendor actually spends money discovering at patching holes, the number of security holes found and patched in IIS is normal. Is the author recommending that companies tear out all of their Cisco routers and replace them with random components from unpopular vendors or hobbyists?
  • Contradictory Advice – The author first points out that all of the worms exploited the same vulnerabilities, and that these vulnerabilities have been fixed for some time. Then he claims that those vulnerabilities will not cease to be exploited until Microsoft writes a completely new version of IIS. So let me get this straight: if people install the patches, they won’t be infected by the worm, but the worm still infects people because? A logical person would answer “because people don’t install the patches”. But this analyst replies “because Microsoft doesn’t rewrite IIS”. If people don’t install the patches, why would they install yet another version of IIS (which, BTW the released “new” version of IIS is not vulnerable to these worms).
  • Dangerously Misleading – The article leaves the impression with the reader that there exist some “other platforms” (iPlanet and Apache), that do not require patching; or at least allow an administrator to be significantly less vigilant about patching. This is a dangerous and irresponsible attitude to be encouraging, and it is utterly false. Additionally, the article continues to propagate the misconception that the software at the endpoint is the central issue in “Code Red” scale worm attacks. When the network is being saturated by floods from infected machine, installing Apache repeatedly on your machine isn’t going to help one whit. And if everyone were using Apache instead, the network would be just as inaccessible when a worm is released that exploits Apache vulnerabilities. So encouraging people to switch from IIS is ignoring the fact that worms are a network problem, and assumes that no further exploits will ever be found in Apache (which is again a dangerously irresponsible perception to be encouraging).

Changing subjects, I wonder if any impudent youth will dress up like Osama Bin Laden this year for Halloween? I wonder if we will read in the paper about any of them being shot by duped passers-by?

sunny day

Sunny Day – we went out to the Olympic peninsula to watch the competitors in the “Big Hurt” race. Contestants travel nearly 70 miles on mountain bike, road bike, kayak, and foot. This year, Canadians took first and second place. The American who took first last year was third across the finish line today. At least five people from building 2 at Microsoft competed; one of our guys was in the top 20. Most people looked pretty hurt by the time they crossed the finish line, but it looks fun too. I wonder if I could get in shape enough to run the course next year?

Washington State runs the largest ferry system in the nation. All of the previous times that we’ve gone to the Olympic Peninsula, we have departed from Seattle. Today we shaved at least two hours off of the trip by departing instead from Edmonds, which is further north on the Puget Sound. Besides hosting the “Big Hurt”, Port Angeles is a convenient departure point for Victoria, the capital of British Columbia in Canada. It is possible (for stronger kayakers than I) to kayak from Port Angeles to Victoria. Port Angeles is also the entry point to major areas of the Olympic Mountains, including hurricane ridge. Today would have been a perfect day to visit the ridge, but we didn’t have time.

the crufatin liveth

The Crufatin Liveth – When reading the reports of how unified the world is in its opposition to terrorism, I wonder if people notice that the leaders of the world are united, but not necessarily the citizens? One of the more common sentiments voiced by people writing about the WTC destruction is “Why can’t we just turn back the clock and go back to the way things were?” And we know the reason why the coalition of world leaders is going to exterminate terrorists: we need to make certain that the established world order can never be disrupted again. I can certainly support that sentiment; my life is happier than I ever really expected it could be, and I support anything that keeps things that way. However, the majority of the world’s people are not happy with the way things are, and were not terribly satisfied with the world order before September 11. It’s easy to see why Pakistan’s military leader would like to see things stay the way they were, but it’s also easy to see why many Pakistanis don’t really care much one way or the other. And despite our refusal to notice, neither do many Americans.

This is something that we try very hard to ignore. Things today are different from the days when kids followed around Bob Seger, Disco, or Rave DJs. The best way to meet other elite kids today is to participate in anti-globalization insurgency. Kids today aren’t happy with the scraps they’ve been left. Who can forget the anguish of the “establishment” when my generation turned Woodstock into an orgy of vandalism and destruction? And in all of the hand-wringing, I don’t recall that any of the journalists really got the point: nobody wants to have their choices and identities defined by anyone else. The more that the establishment opened their arms in (sometimes embarrassingly enthusiastic) acceptance of the new generation’s interest in Woodstock, the more the new generation rejected this endorsement. I saw a psychologist recently speculating that terrorists choose the path of destruction because it is the only path that makes them feel like they are truly in control of their own environment. The dirty secret of our age is how many people actually feel that way.

Go ahead, explore these people’s grievances. Embrace them; heap fiery coals of understanding upon them. Validate them, and take away the last choice they have left.

more worm

More Worm – Reading through CERT’s analysis of the Nimda worm, it seems that this worm attacked only known holes, for which fixes have been available for some time. Both this and Code Red were fairly mild; it is not pleasant to imagine what could have been done if the authors had been just a bit more malicious or skilled. This is a clear threat, and I think our industry needs to start taking these things more seriously. There are four things that need to be done:

  • Reduce the number of vulnerabilities that get shipped – This means writing code that is more secure, and disabling risky features by default. Most of the people that get hit with these worms do not even need or use the features that the worm exploits.
  • Reduce the number of vulnerabilities “in the wild” – Security holes invariably slip into software, despite the best efforts of the coders. When holes are discovered, users should be able to trust that their machines will be updated to patch those holes.
  • Quarantine Infected or Vulnerable Machines – ISPs and Network Administrators should have the power to detect and block machines that are infected or have known serious vulnerabilities. A simple passive network monitor could detect infected machines even if the vector of infection was an unknown security hole. Another technique that could be used to select quarantine victims would be a tarpit.
  • Capture and Punish the Worm Authors – There is no such thing as absolute security. We don’t put up concrete barricades around our homes to keep out people who we know are perfectly capable of driving a truck through our front door. We know that risk vs. reward profile for driving trucks through people’s front doors is not very favorable. In terms of writing and releasing computer worms, however, the risk to the author is fairly low. Penalties are not high, and the possibility of getting caught is low. Robert Morris could claim that he released the first worm to “draw attention to the threat”. The authors of Nimda and Code Red have a much more difficult time claiming that they are doing anything innovative or helpful. Our industry needs to work with law enforcement to make sure that the criminals are not invisible.

Today talks about some IE6 and XML Conformance issues that recently got me into hot water on the xml-dev mailing list. Customers get really upset if you break their existing stuff, but the standards warriors get really nasty when you don’t implement section blah.diddly.blah of the spec. I tend to be rather standards-fascist myself. But, in the words of one of our devs, “backwards compatibility is the worst slave-master I’ve ever met.” We came to a fairly acceptable agreement on the list, and hopefully we will even be able to do even better; the trick now is to make sure it happens.

We are fighting against terrorists, not against Muslims. That message is doing well here at home. But news today is that thousands of angry people in Pakistan, Bangladesh, and Indonesia don’t believe us. We had better make sure to honor our claim, defend the truth of that claim in places like these, and continue to fight against those who want to provoke a holy war.

Speaking of militant extremists, some guy shot the guard at the federal building in Detroit today. I used to walk past that building every day to get lunch, and have been through the security checkpoint a few times. The checkpoint there is pretty much the same as the one at the federal building here in Seattle; you get frisked, walk through a metal detector, and are not permitted to carry any bags through. What this guy thought he would accomplish by shooting the guard is a mystery; even if he had gotten past the guard, there isn’t much in that building to see.